Staples Hit by a Data Breach: What to Do Now [Update]

Staples Hit by a Data Breach: What to Do Now [Update]

Updated with comments from Staples.

There has been a data breach at US office supply retailer Staples, but it is not yet known how many people may have been affected. (Update: Staples says fewer than 2,500 people.)

Australian security researcher Troy Hunt, who runs the HaveIBeenPwned site (where you can check to see if your information was part of the data breach), announced on Sunday that his Twitter account and posted copies of email messages sent to an unknown number of Staples online customers.

"We recently learned of an unauthorized access to a limited number of non-confidential customer order data on Staples.com, which may have contained information about your order," the email message said.

That information "may have included your name, address, email, phone number, last four digits of your payment card, the cost of your order, shipping, and product information. This information does not include your account information (username and password) or payment card number, and there is no indication that the purchase was made on your behalf."

In response to angry tweeters, Hunt explained that "non-confidential data" is defined differently in different legal jurisdictions. In most cases, names, addresses, and phone numbers are considered public records.

Those affected by this data breach may receive an increased number of spam email messages, text messages, and phone calls, and may be at increased risk for phishing attacks.

However, the information stolen in this data breach will not be of much use to someone trying to steal your identity or credit card numbers or hijack your Staples account.

Staples Canada does not appear to have been affected by this data breach; Bleeping Computer reports that the information breach on the Staples website in the US appears to have occurred around September 2.

We could find no mention of this data breach on the Staples website. We have reached out to Staples for comment and information on how many customers may have been affected.

Staples last had a security issue of this magnitude in 2014, when credit card thieves infected the payment systems of more than 100 Staples retail stores with malware designed to steal credit card details.

A Staples spokesperson responded to Tom's Guide's inquiry and issued this statement:

"Staples recently learned of unauthorized access to a limited amount of non-confidential customer order data on Staples.com. Less than 2,500 orders of data were affected.

We investigated and took steps to remedy the situation. We take the protection of customer data seriously and notified users whose order data was determined to have been affected.

Categories